run kong with compose

Posted on December 29, 2017 by manuel

Here a simple docker-compose.yml file to get kong community up and running. It is configured to use postgresql that persists data to a local docker volume. All ports are mapped to localhost only and log goes to stdout/stderr.

version: '3.4'
services:
  kong-db:
    image: 'postgres:10.1'
    ports:
      - 127.0.0.1:5432:5432
    environment:
      POSTGRES_USER: kong
      POSTGRES_PASSWORD: kong
      POSTGRES_DB: kong
      PGDATA: /var/lib/postgresql/data/pgdata
    volumes:
      - db-volume:/var/lib/postgresql/data/pgdata
    healthcheck:
      test: 'echo "select 1" | psql -U kong kong || exit 1'
      interval: 1m
      timeout: 3s
      retries: 3
    restart: unless-stopped

  kong:
    image: 'kong:0.11.2'
    ports:
      - 127.0.0.1:8000:8000
      - 127.0.0.1:8443:8443
      - 127.0.0.1:8001:8001
      - 127.0.0.1:8444:8444
    environment:
      KONG_DATABASE: postgres
      KONG_PG_HOST: kong-db
      KONG_PG_DATABASE: kong
      KONG_PG_USER: kong
      KONG_PG_PASSWORD: kong
      KONG_PROXY_ACCESS_LOG: /dev/stdout
      KONG_ADMIN_ACCESS_LOG: /dev/stdout
      KONG_PROXY_ERROR_LOG: /dev/stderr
      KONG_ADMIN_ERROR_LOG: /dev/stderr
    links:
      - kong-db
# uncomment following line to run migrations for a new database
#    command: kong migrations up -v
    depends_on:
      - kong-db
    healthcheck:
      test: 'curl -f http://localhost:8001/status || exit 1'
      interval: 1m
      timeout: 3s
      retries: 3
    restart: unless-stopped

volumes:
  db-volume:

version: '3.4'

services:

kong-db:

image: 'postgres:10.1'

ports:

- 127.0.0.1:5432:5432

environment:

POSTGRES_USER: kong

POSTGRES_PASSWORD: kong

POSTGRES_DB: kong

PGDATA: /var/lib/postgresql/data/pgdata

volumes:

- db-volume:/var/lib/postgresql/data/pgdata

healthcheck:

test: 'echo "select 1" | psql -U kong kong || exit 1'

interval: 1m

timeout: 3s

retries: 3

restart: unless-stopped

kong:

image: 'kong:0.11.2'

ports:

- 127.0.0.1:8000:8000

- 127.0.0.1:8443:8443

- 127.0.0.1:8001:8001

- 127.0.0.1:8444:8444

environment:

KONG_DATABASE: postgres

KONG_PG_HOST: kong-db

KONG_PG_DATABASE: kong

KONG_PG_USER: kong

KONG_PG_PASSWORD: kong

KONG_PROXY_ACCESS_LOG: /dev/stdout

KONG_ADMIN_ACCESS_LOG: /dev/stdout

KONG_PROXY_ERROR_LOG: /dev/stderr

KONG_ADMIN_ERROR_LOG: /dev/stderr

links:

- kong-db

# uncomment following line to run migrations for a new database

# command: kong migrations up -v

depends_on:

- kong-db

healthcheck:

test: 'curl -f http://localhost:8001/status || exit 1'

interval: 1m

timeout: 3s

retries: 3

restart: unless-stopped

volumes:

db-volume:

Attention: The kong container fails to start unless migrations are not run on the connected database. To do this simply uncomment the marked line and start the containers. With the command set the container will execute database migrations and stop with exit code 0. After that the line can be commented out again. Then you can start kong with the given file.

IntelliJ IDEA on Mac OS

Posted on October 29, 2017 by manuel

When using IntelliJ IDEA with Spring Boot on a Mac make sure you have the entry

127.0.0.1 <hostname>.local

1	127.0.0.1 <hostname>.local

in your /etc/hosts file. Replace <hostname> with your Mac’s name. Also make sure that the result of the command ‘hostname’ is in your /etc/hosts file as well pointing to your local address.

Java 9 released

Posted on September 23, 2017 by manuel

After years of development Oracle has released Java 9. It is available to download from the Oracle page as usual. Here is the EOL message for Java 8:

End of Public Updates for Oracle JDK 8

Oracle will not post further updates of Java SE 8 to its public download sites for commercial use after September 2018. Customers who need continued access to critical bug fixes and security fixes as well as general maintenance for Java SE 8 or previous versions can get long term support through Oracle Java SE Advanced, Oracle Java SE Advanced Desktop, or Oracle Java SE Suite. For more information, and details on how to receive longer term support for Oracle JDK 8, please see the Oracle Java SE Support Roadmap.

Openssl certificates for apache

Posted on September 20, 2017 by manuel

In my former post i described a way how to create self signed SSL certificates with an own certificate authority. These certificates didn’t work in latest chrome versions so I updated my scripts to create valid certificates for chrome. This time I only create wildcard certificates because creating one for every subdomain was annoying.

#!/bin/bash
if [ -e ca.key ]; then
	echo "ca.key already exists"
	exit 1
fi

openssl genrsa -out ca.key 4096
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt \
  -subj "/C=AT/ST=Vienna/L=Vienna/O=Coffeebeans/CN=Coffeebeans Domain Validation Secure Server CA/emailAddress=office@coffeebeans.at"

#!/bin/bash

if [ -e ca.key ]; then

echo "ca.key already exists"

exit 1

openssl genrsa -out ca.key 4096

openssl req -new -x509 -days 3650 -key ca.key -out ca.crt \

-subj "/C=AT/ST=Vienna/L=Vienna/O=Coffeebeans/CN=Coffeebeans Domain Validation Secure Server CA/emailAddress=office@coffeebeans.at"

#!/bin/bash
NAME=star.$1
if [ "star." == $NAME ]; then
	echo "usage: $0 <domain.name>"
	exit 1
fi
if [ -e $NAME.key ]; then
	echo "$NAME.key already exists"
	exit 1
fi
if [ ! -e ca.crt ]; then
	echo "no ca certificate created"
	exit 1
fi

CONFIG=$(cat <<-EOF
[ca]
default_ca=CA_default

[CA_default]
dir=./ca
database=\$dir/index.txt
new_certs_dir=\$dir/newcerts
serial=\$dir/serial
private_key=./ca.key
certificate=./ca.crt
default_days=3650
default_md=sha256
policy=policy_anything
copy_extensions=copyall

[policy_anything]
countryName=optional
stateOrProvinceName=optional
localityName=optional
organizationName=optional
organizationalUnitName=optional
commonName=supplied
emailAddress=optional

[req]
default_bits=4096
prompt=no
default_md=sha256
req_extensions=req_ext
distinguished_name=dn
 
[ dn ]
C=AT
ST=Vienna
L=Vienna
OU=Domain Control Validated
emailAddress=office@coffeebeans.at
CN=*.$1
 
[ req_ext ]
subjectAltName=@alt_names
 
[ alt_names ]
DNS.1=$1
DNS.2=*.$1
EOF
)

# PREPARE
echo "$CONFIG" > config.txt
if [ ! -d ./ca ]; then
	mkdir -p ./ca/newcerts
	touch ./ca/index.txt
fi

openssl genrsa -out $NAME.key 4096
openssl req -new -key $NAME.key -out $NAME.csr -config config.txt
openssl ca -create_serial -batch -in $NAME.csr -out $NAME.crt -config config.txt

# CLEANUP
rm -f *.csr config.txt
chmod 644 *.key *.crt

#!/bin/bash

NAME=star.$1

if [ "star." == $NAME ]; then

echo "usage: $0 <domain.name>"

exit 1

if [ -e $NAME.key ]; then

echo "$NAME.key already exists"

exit 1

if [ ! -e ca.crt ]; then

echo "no ca certificate created"

exit 1

CONFIG=$(cat <<-EOF

[ca]

default_ca=CA_default

[CA_default]

dir=./ca

database=\$dir/index.txt

new_certs_dir=\$dir/newcerts

serial=\$dir/serial

private_key=./ca.key

certificate=./ca.crt

default_days=3650

default_md=sha256

policy=policy_anything

copy_extensions=copyall

[policy_anything]

countryName=optional

stateOrProvinceName=optional

localityName=optional

organizationName=optional

organizationalUnitName=optional

commonName=supplied

emailAddress=optional

[req]

default_bits=4096

prompt=no

default_md=sha256

req_extensions=req_ext

distinguished_name=dn

[ dn ]

C=AT

ST=Vienna

L=Vienna

OU=Domain Control Validated

emailAddress=office@coffeebeans.at

CN=*.$1

[ req_ext ]

subjectAltName=@alt_names

[ alt_names ]

DNS.1=$1

DNS.2=*.$1

EOF

)

# PREPARE

echo "$CONFIG" > config.txt

if [ ! -d ./ca ]; then

mkdir -p ./ca/newcerts

touch ./ca/index.txt

openssl genrsa -out $NAME.key 4096

openssl req -new -key $NAME.key -out $NAME.csr -config config.txt

openssl ca -create_serial -batch -in $NAME.csr -out $NAME.crt -config config.txt

# CLEANUP

rm -f *.csr config.txt

chmod 644 *.key *.crt

I also tried to use these certificates in postfix which did NOT work. To create files for postfix see my former post.

Robo 3T MongoDB client fails to start on ubuntu 16.04

Posted on September 11, 2017 by manuel

I tried to rim robo3t-1.1.1-linux-x86_64 downloaded from https://robomongo.org/ and got the following error when trying to run it:

This application failed to start because it could not find or load the Qt platform plugin "xcb"
in "".

Available platform plugins are: xcb.

Reinstalling the application may fix this problem.
Aborted

This application failed to start because it could not find or load the Qt platform plugin "xcb"

in "".

Available platform plugins are: xcb.

Reinstalling the application may fix this problem.

Aborted

Trying to install xcb via apt install xcb doesn’t change the behavior. Then I found a solution by removing all libstdc++* files from the lib directory in the extracted directory:

rm lib/libstdc++*

1	rm lib/libstdc++*

failed to run Kubelet: failed to create kubelet: misconfiguration: kubelet cgroup driver: “systemd” is different from docker cgroup driver: “cgroupfs”

Posted on August 28, 2017 by manuel

Distributor ID: Ubuntu
Description: Ubuntu 16.04.3 LTS
Release: 16.04
Codename: xenial

Docker version 17.06.0-ce, build 02c1d87

openshift-origin-server-v3.6.0-c4dd4cf-linux-64bit

I followed the steps under https://docs.openshift.org/latest/getting_started/administrators.html#downloading-the-binary and got the error in the title. To fix this you have to add “–exec-opt native.cgroupdriver=systemd” to ExecStart of docker. The best way to do this is to add a addin file /etc/systemd/system/docker.service.d/override.conf with following content:

[Service]
ExecStart=
ExecStart=/usr/bin/dockerd -H fd:// --exec-opt native.cgroupdriver=systemd

[Service]

ExecStart=

ExecStart=/usr/bin/dockerd -H fd:// --exec-opt native.cgroupdriver=systemd

Then reload systemd and restart docker:

sudo systemctl daemon-reload
sudo systemctl restart docker

1 2	sudo systemctl daemon-reload sudo systemctl restart docker

SSL certificates for apache

Posted on August 7, 2017 by manuel

Simple way to create self-signed SSL certificates.

#!/bin/bash
# usage: ./create-ca.sh
if [ -e ca.key ]; then
	echo "ca.key already exists"
	exit 1
fi

openssl genrsa -out ca.key 4096
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt \
  -subj "/C=AT/ST=Vienna/L=Vienna/O=coffeebeans.at/OU=IT/CN=coffeebeans.at/emailAddress=office@coffeebeans.at"

#!/bin/bash

# usage: ./create-ca.sh

if [ -e ca.key ]; then

echo "ca.key already exists"

exit 1

openssl genrsa -out ca.key 4096

openssl req -new -x509 -days 3650 -key ca.key -out ca.crt \

-subj "/C=AT/ST=Vienna/L=Vienna/O=coffeebeans.at/OU=IT/CN=coffeebeans.at/emailAddress=office@coffeebeans.at"

#!/bin/bash
# usage: ./create-key.sh CN
NAME=$1
SERIAL=`ls -l *.key | wc -l`

if [ $SERIAL -lt 10 ]; then
	SERIAL="0$SERIAL"
fi

if [ -e $NAME.key ]; then
	echo "$NAME.key already exists"
	exit 1
fi

if [ ! -e ca.crt ]; then
	echo "no ca certificate created"
	exit 1
fi

echo "creating key for $NAME with serial $SERIAL"
openssl genrsa -out $NAME.key 4096
openssl req -new -key $NAME.key -out $NAME.csr \
  -subj "/C=AT/ST=Vienna/L=Vienna/O=coffeebeans.at/OU=IT/CN=$NAME/emailAddress=office@coffeebeans.at"
openssl x509 -req -days 3650 -CA ca.crt -CAkey ca.key \
  -set_serial $SERIAL -in $NAME.csr -out $NAME.crt

rm *.csr

#!/bin/bash

# usage: ./create-key.sh CN

NAME=$1

SERIAL=`ls -l *.key | wc -l`

if [ $SERIAL -lt 10 ]; then

SERIAL="0$SERIAL"

if [ -e $NAME.key ]; then

echo "$NAME.key already exists"

exit 1

if [ ! -e ca.crt ]; then

echo "no ca certificate created"

exit 1

echo "creating key for $NAME with serial $SERIAL"

openssl genrsa -out $NAME.key 4096

openssl req -new -key $NAME.key -out $NAME.csr \

-subj "/C=AT/ST=Vienna/L=Vienna/O=coffeebeans.at/OU=IT/CN=$NAME/emailAddress=office@coffeebeans.at"

openssl x509 -req -days 3650 -CA ca.crt -CAkey ca.key \

-set_serial $SERIAL -in $NAME.csr -out $NAME.crt

rm *.csr

Ubuntu: Docker behind proxy

Posted on August 7, 2017 by manuel

sudo mkdir /etc/systemd/system/docker.service.d
cat /etc/systemd/system/docker.service.d/http-proxy.conf
[Service]
Environment="HTTP_PROXY=http://proxy-address:8080/"
Environment="HTTPS_PROXY=http://proxy-address:8080/"
Environment="NO_PROXY=localhost,127.0.0.1,.localdomain"

sudo systemctl daemon-reload
sudo systemctl restart docker

sudo mkdir /etc/systemd/system/docker.service.d

cat /etc/systemd/system/docker.service.d/http-proxy.conf

[Service]

Environment="HTTP_PROXY=http://proxy-address:8080/"

Environment="HTTPS_PROXY=http://proxy-address:8080/"

Environment="NO_PROXY=localhost,127.0.0.1,.localdomain"

sudo systemctl daemon-reload

sudo systemctl restart docker

12factor App

Posted on August 3, 2017 by manuel

found an interesting page about some base principals you should remember when building an application: https://12factor.net/de/

Java base project for website under tomcat

Posted on April 30, 2017 by manuel

see https://github.com/mbogner/java-website-base

Manuel's Cheat Sheet

Solutions to everyday IT problems

run kong with compose

IntelliJ IDEA on Mac OS

Java 9 released

Openssl certificates for apache

Robo 3T MongoDB client fails to start on ubuntu 16.04

failed to run Kubelet: failed to create kubelet: misconfiguration: kubelet cgroup driver: “systemd” is different from docker cgroup driver: “cgroupfs”

SSL certificates for apache

Ubuntu: Docker behind proxy

12factor App

Java base project for website under tomcat